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ABSTRACT 


Recently, information security incidents such as personal information leakage have 
been regarded as serious risk factors that directly affect corporate sales reduction and 
corporate image loss. In order to manage information security systematically, 
enterprises have been introducing information security systems more than ever before. 
This study aims to derive major items of the information security system mainly for 
corporate organizational management, with a focus on the technology-organization- 
environment (TOE) framework, and suggests a direction for system build-up and 
management. To this end, the Analytic Hierarchy Process (AHP) was conducted on 20 
items derived from previous studies. A survey was conducted among 24 individuals, 
including 12 corporate internal administrators and 12 corporate external consultants. 
As a result, it turned out that environmental factors affected the information security 
system more significantly among technical, organizational, and environmental factors. 
Notably, ‘compliance with legal requirements,' 'protection of information subjects’ 
rights,’ and ‘increase of the information security awareness’ affected the operation of 
the information security system or related decision-making processes. This finding 
suggests that although technical and organizational management is also essential when 
it comes to corporate information security system operation, the system needs to 
respond swiftly to rapid market changes and legal and administrative changes 
concerning information security. 
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1. INTRODUCTION 


As the 3rd Industrial Revolution based on corporate economic activity and information through 
the Internet and computers led to the 4th Industrial Revolution, key technologies have expanded 
throughout the industry. Particularly with the rapid advancement of key technologies of the 4th 
Industrial Revolution such as IoT, Cloud, Big Data, Mobile 5G, AI, Blockchain, 3D Printing, 
and Robotics [1], a wide range of technology areas are used in various corporate information 
management areas such as information collection, storing, and utilization. While such 
technologies help maximize the ripple effect on corporate economic activity, threats to 
information security are also involved, including information capture, interference, and misuse 
[2]. 

Many enterprises around the globe have reported losses from information security 
vulnerabilities. For example, a large financial holding company called Capital One in the U.S. 
involved a mistake in cloud service settings in 2019, leading to a customer information leakage 
involving 160,000,000 individuals. In 2020, updates to Orion of SolarWinds, a universal IT 
management software program in the U.S., included a malicious code of a value-chain attack 
type that invaded 18,000 enterprises around the globe. Recently, such intrusions were spread 
through VPNs commonly used among those working from home in response to such national 
disasters as COVID-19, and even channels viewed as secure and reliable were not exempted 
from large-scale security incidents. After all, as the technology advancement accelerates, the 
necessity of general inspection on the corporate information security system and general plans 
to strengthen the information security is more emphasized [3]. 


Indeed, information security is one of the most critical business management elements. One 
security incident is a severe threat that may lead to customer separation, sales decrease, and loss 
of the corporate image. Moreover, corporate awareness on the importance of information 
security has increased in line with social changes. The number of enterprises introducing an 
information security system to manage information security systematically is increasing. 
Particularly, to secure corporate business continuity and efficiently cope with information 
leakage attempts that are more intelligent than their precedents, it is vital to build and manage 
information security in a manner more systematic than the existing product-centered technical 
response [4]. 

Most previous studies, however, focused on comparing the importance of each specific item 
of the ISMS that is the basis for corporate information security checkup and planning [5] or 
technical activity for information security, specifically on such items as an investment into 
information security and incident control [6]. As the range of corporate information security is 
extended, it is necessary to build an information security system connected with major business 
strategies in digital environments. Thus, it is vital to examine corporate information security 
systems and management methods [7]. 


Accordingly, this study defines primary considerations for reinforcing the corporate 
information security system in terms of organization, technology, and environment, based on 
the TOE framework. In addition, significant factors that affect the efficiency of a corporate 
information security system most significantly are derived in this study. This study presents 
specific implications that help good and efficient decision-making regarding corporate 
information security system build-up and management. 
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2. LITERATURE REVIEW 
2.1. Corporate Information Security System 


"Information security" means to build administrative and technical means to prevent damage, 
alteration, and leakage of information in the process of information collection, processing, 
storing, searching, and transmission. The information security system is a type of administrative 
and technical means in this regard. The 'Information Security Management System (ISMS)' 
involves a series of steps and activities to systematically and continually build, document, 
manage, and operate information security procedures and steps so that the primary goals of 
information security—confidentiality, integrity, and information asset availability—are 
fulfilled [8] . In addition, the ISMS certification system, through which a third-party 
certification institution evaluates the information security being operated in an organization 
objectively and independently, thus guarantees standards fulfillment. 


Corporate information security activity includes risk management and information security 
measures throughout administrative, technical, and physical security sectors mainly based on 
Information Security Management System (ISMS) standards. The ISMS is a basis for the 
systematic build-up and continued control and operation of corporate information asset 
management procedures and steps to secure confidentiality, integrity, and availability. In order 
to check corporate safety and reliability, the official review is conducted by independent 
institutions such as the Korea Internet and Security Agency designated by the Korea 
Communications Commission based on the certification criteria [9]. 


Information security systems currently applicable at home and abroad include the 
following: Information Security Management Systems Requirements (ISO27001), Managing 
Risk from Information Systems from An Organizational Perspective (NIST SP800-39), Korea 
Internet and Security Agency Information Security Management System (KISA ISMS), 
Personal Information Management System (PIMS), Government-Information Security 
Management System (G-ISMS), Information Security Check Service, information (ISCS ), and 
Critical Information Infrastructure Protection (CHP) [10]. 

In Korea, in order to reduce confusion among institutions concerned, as well as burdens on 
the use of resources due to the similarity and separate operation of regulatory items of the PIMS 
and ISMS after the Personal Information Protection Act came into effect, the ISMS and PIMS 
were integrated into the ISMS-P on November 7, 2018. Regulatory items of each management 
system are as follows Table 1. 


Table 1 Certification criteria of information security and personal Information Security Management 









































Systems 
: : Applicability 
Area (No. of items) Sector (No. of sub-items) ISMS ISMS-P 
1.1. Build-up of the framework for the management 
O O 
1. Build-up and operation seme) 
: 1.2. Risk management (4) O O 
lof the management system : 
(16) 1.3. Operation of the management system (3) O O 
1.4. Checkup and improvement of the management O O 
system (3) 
2.1. Policy, organization, and asset management (3) O O 
2.2. Personnel security (6) O O 
22. Requirements for 2.3. Visitor security (4) O O 
protective measures 2.4. Physical security (7) O O 
(64) 2.5. Authentication and authorization management (6) O O 
2.6. Access control (7) O O 
2.7. Encryption (2) O O 
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2.8. Information system implementation, 

development, and security (6) 

2.9. System/service operation and management (7) 

2.10. System/service security management (9) 

2.11. Incident prevention and response (5) 

2.12. Disaster recovery (2) 

3.1. Protective measures for personal information 

collection (7) 

3.2. Protective measures for personal information 

retention and use (5) 

3.3. Protective measures for personal information 
rovision (4) 

3.4. Protective measures for personal information 

destruction (3) 

3.5. Protection of the information object's rights (3) 


Source: KISA. January 2019 


Such rapid changes in IT convergence environments have raised keen awareness on threats 
to and vulnerability of information assets such as personal information and corporate 
information and, accordingly, appropriate risk management activities are necessary [11]. To 
protect such corporate information assets and strengthen organizational competitiveness, efforts 
have been put forth continually to build and operate an Information Security Management 
System to enhance the information security management process. The value of information 
assets is an essential element that decides the development and continuity of an organization, 
whereas the proper operation of a consistent, systematic, and comprehensive Information 
Security Management System for significant information assets is essential to minimize the 
organization's loss, secure a competitive edge, and thus improve the reliability and value of the 
organization. 
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B. Requirements for each 
step of personal 
information processing 
(22) 
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For this reason, the importance of information security governance has been recently 
emphasized [12]. According to the business objective, an enterprise's information security 
activity is the beginning of governance to build and operate information security goals. The 
operation, control, and continued monitoring of the information security system [13] is the very 
basis to create synergy effects in business strategies and organizational decision making. 


2.2. The Effect Factors of a Corporate Information Security System 


Information security system frameworks being applied and operated at home and abroad present 
measurement items for information security circulation models and performance (see Table 2). 


Table 2 Classification of information security performance measurements for each framework of the 
information security systems 











Framework Classification of information security performance measurements 
BCMM + Improvement of information security awareness (among executives and employees) 
+ Level of information asset control (resources provided) 
+ Level of access setting (access control 
ISM3 8 ( ) 


+ Integrated security applicability (development security) 

+ Level of compliance with legal requirements (legal compliance, security audit, law 
land agreement, administration system efficiency) 

+ Level of risk management and response (business risk, risk assessment, treatment, and 
input/output management) 

ISO27004 + Improvement of information security awareness (education on the management 
system efficiency) 

+ Sales increase (economic performance and sales increase) 

- Cost-saving (economic performance and cost-saving) 

+ Image improvement (organizational value increase) 

JIPDEC + Level of compliance with legal requirements (internal audit and law compliance) 
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+ Improvement of information security awareness (improvement of the brand 
recognition and security level improvement) 

+ Work satisfaction (productivity improvement) 

+ Applicability of integrated security measures (system and data protection, and 
information security base index) 

IKISA + Work satisfaction (work efficiency) 

+ Rate of proper measures for infringement incidents such as malware invasion 
(infringement by hacking or viruses, and privacy infringement) 

+ Applicability of integrated security (determination on the level of embodiment of 
information security programs, and an embodiment of information security programs) 








INIST SP800-55 














As a prominent example, the ISMS-P is a series of steps and activities to document 
information security steps, including personal information systemically, and to manage and 
operate such steps continually and efficiently. With such steps and activities, ISMS-P aims to 
realize the confidentiality, integrity, and availability of information assets. This way, it is 
possible to improve business stability and secure legal compliance regarding information 
security for ethical and transparent business management. In addition, ISMS-P-certified 
organizations can minimize financial losses even in incidents of infringement or class suits [9, 
13]. 

As examples of previous studies emphasizing the value of information security systems in 
business management, Eloff and Eloff [14] viewed, as essential factors, compliance with legal 
requirements, risk management, and response, and information security awareness. Posthumus 
and Von Solms [15] is also viewed as necessary, compliance with legal requirements, auditing, 
monitoring, access setting, and measures for infringement incidents such as malware invasion. 
Richards [16] emphasized risk management and response as the most crucial element, 
presenting sub-factors such as risk management activity, risk analysis, and risk identification. 
In addition, Von Solms [17] suggested improving information security awareness through 
education and maintenance and control of information security activity as vital factors. 
Bulgurcu et al. [18] pointed out the importance of compliance with legal requirements, 
information asset control system, maintenance, control, access setting, and integrated security 
applicability. 

Such factors may be explained with the TOE framework that Witty and Hallawell, [19]. 
suggested classifying elements affected in the process of an organization's introduction and 
management of information technology. As stated in previous studies [8, 20], factors affecting 
the information security system may be derived based on the three factors: environment, 
technology, and organization. First of all, the external environmental context means the area of 
activity where an enterprise runs its business. The industry sector that the enterprise belongs to, 
the enterprise's competitors, resource suppliers, and the government are part of the external 
environmental context. The technical context includes all the technologies in and out of the 
organization that it faces. This means not only technologies inside the organization but also 
every other technology available in the market. Finally, the organizational context means the 
organization's characteristics. In general, an organization's characteristics include its scale, 
centralization, formulation, complexity, human resource quality, and extra internal resources. 


3. RESEARCH METHODS 
3.1. Analytic Hierarchy Process (AHP) 


The Analytic Hierarchy Process (AHP) is a method used to select one solution in a situation 
where various purposes are essential to the decision-maker. The relative importance of different 
alternatives is compared and quantified to evaluate them and solve a complicated problem. If 
there are multiple and complex goals or evaluation criteria of decision-making, this method 


https://iaeme.com/Home/journal/IJEET editor@iaeme.com 


A Decision-Making Model for Reinforcing a Corporate Information Security System 


may be used to support the systematic evaluation of mutually exclusive alternatives. Attributes 
of a problem are examined systematically and hierarchically to standardize them [21]. 


Early in the 1970s, in collaborative work with game theory experts and Professor Thomas 
Saaty, this method was developed as an alternative to address the inefficiency of decision- 
making processes [22]. This is a decision-making methodology to detect the evaluator's 
knowledge, experience, and intuition by way of pairwise comparison between elements that 
form the decision-making hierarchy. The AHP is widely utilized to derive key factors, set policy 
alternatives, and establish strategies [23]. The AHP methodology derives the evaluation results 
based on the total ranks of relative importance among elements determined by each evaluator 
[24]. Accordingly, this study utilizes the AHP in evaluating the relative importance of 
significant factors that affect the reselling of limited-edition products. 


Between the two AHP analysis approaches, the 'geometric mean of pairwise comparison’ 
was used to calculate the relative importance. This method is widely used and determines the 
relative importance of factors based on the geometric average of each element. Considering 
probabilistic characteristics based on which the difference between an input variable and a 
model output variable are examined, it was sought to secure the reliability of calculation bases 
and results of input variables by setting the weight of each factor. To this end, the analysis was 
conducted employing the AHP variable weight calculation method suggested by Gangwar et 
al. [25]. 


3.2. Research Framework and Variables 


Based on previous studies, this study sets and comparatively analyzes ‘technical factors,’ 
‘organizational factors,’ and ‘environmental factors' based on the TOE framework as 
determinants of decision-making to reinforce corporate information security management. 
"Technical factors' mean technology-related factors that affect decision-making on activities to 
strengthen information security such as information collection and management, information 
access control, cyber damage recovery, response to information security threats, information 
asset control, application of integrated security technology, etc. 


Information collection and Protection of organizational Reflection of governmental 
management resources (personal and material) policies 


Risk management Acquisition of certification and 


Information access control Ba i cates 
(incident prevention and response) authorization 





Protection of information 
subjects’ rights 


Cyber damage recovery Strengthen of organizational competi 

tiveness 

Response to information security thr 
eats 


Reliability and image 
improvement 


Compliance with legal 
requirements 


Enhancement of work efficiency enh 
ancement 


Spread of information 


Control of information assets 5 
security awareness 





i 


Application of integrated security tec 


hnology Cost saving effect 


ul 
Het 


Figure 1 Research Framework 


‘Organizational factors' mean the factors that affect organizational aspects regarding 
activities to strengthen information security, such as organizational resource protection, risk 
management, reinforcing of organizational competitiveness, reliability and image 
improvement, work efficiency enhancement, and cost-saving effect. Finally, 'environmental 
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factors’ include both policy environment factors such as reflection of governmental policies, 
acquisition of certification or authorization, compliance with legal requirements, and factors 
that affect market environments such as protection of information subjects' rights and spread of 
information security awareness (see Figure 2). Three key variables consisting of 20 components 
in total listed above (See Table 3). 


Table 3 Evaluation factors and definition 

































































Evaluation 4 aa Related 
Evaluation Factors Factor Definition 
Area References 
: . _ {[tis thought that activities to manage information security 
Information collection f : : 
should be strengthened because information collection and 
land management F 
Imanagement are important. 
; It is thought that activities to manage information security 
[Information access : : : 
should be strengthened because information access control is 
control 
valuable. iH Mea 
[t is thought that activities to manage information security a elas 
(Cyber damage : [26] 
should be strengthened because cyber damage recovery is of 
recovery E Kamal [27], 
importance. 

[Technology : ae : 7 : Al-Natour and 
IResponse to [t is thought that activities to manage information security Benbasat [28] 
information security _ should be strengthened because a proper response to oesain and ‘ 
threats information security threats is essential. Quaddus [29] 

; [t is thought that activities to manage information security 
Information asset : : : 
should be strengthened because information asset control is 
control ‘ 
vital. 
[Application of [t is thought that activities to manage information security 
integrated security should be strengthened because application of integrated 
technology Security technology is of crucial. 
feo: It is thought that activities to manage information security 
(Organizational 
? should be strengthened because they would be helpful for the 
resource protection : : fee ia 
[protection of human, material, and organizational resources. 
[t is thought that activities to manage information security 
IRisk management should be strengthened because they would be helpful for 
jorganizational risk management. 
Reinforcing of [t is thought that activities to manage information security 
lorganizational should be strengthened because they would help reinforce [Ajzen [30], 
Aro competitiveness jorganizational competitiveness. [Alsene [31], 
(Organization : ae : : , 
Relinbilitv-and wmiaee [t is thought that activities to manage information security Grandon and 
F y 8° hould be strengthened because they would be helpful for [Pearson [32] 
improvement eee, : : 
reliability and image improvement. 
_ [t is thought that activities to manage information security 
Work efficiency 
should be strengthened because they would be helpful for 
enhancement if 
work efficiency enhancement. 
[t is thought that activities to manage information security 
(Cost-saving effect should be strengthened because they would be helpful for 
cost-saving. 
‘ It is thought that activities to manage information security 
Reflection of : 
. ._ should be strengthened in order to reflect governmental 
governmental policies wt 
policies. 
[Acquisition of [t is thought that activities to manage information security 
certification or should be strengthened to acquire certification or 
authorization authorization. [Davis [33], 
. [Protection of It is thought that activities to manage information security (Caldeira and 

IEnvironment : ; : 7 : : ‘ ie 
information subjects' should be strengthened to protect information subjects’ rights Ward [34], 
rights (customers and those interested in the business). Eze et al. [35] 
(Compliance with legal |[t is thought that activities to manage information security 
cequirements should be strengthened to comply with legal requirements. 

Ree peer een ees [t is thought that activities to manage information security 
i should be strengthened in line with the spread of information 
security awareness : 
security awareness. 
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3.3. Research Process and Data Collection 


This study analyzes factors affecting consumers’ activities of limited-edition product reselling. 
To this end, a pairwise comparison questionnaire was utilized in applying the AHP 
methodology and based on the research framework shown in Figure 1. The questionnaire 
consists of 44 questions: 1 subjective question and 43 multiple choice questions of a pairwise 
comparison scale. A pilot test was conducted among five experts in the area of information 
security. 


Individuals selected for the survey were experts with a deep understanding of corporate 
information security activities and currently handling related duties. However, it should be 
noted that corporate information security activities are classified into two classes: those 
promoted by an enterprise with its independent team; and those promoted by an external 
consulting agency. In consideration of such aspects, the survey was conducted among 
consultants from external consulting agencies that help strengthen the enterprise's information 
security activities and information security administrators in an enterprise. In consideration of 
the expertise and experience, survey subjects were selected among individuals with about 10 
years of experience in the industry. 


The survey was conducted for | month in December 2020 by way of one-to-one interviews. 
The survey background and definitions of variables were explained to each of the survey 
participants for at least 1 hour to understand them fully. They answered the survey questions 
based on the detailed guideline of the researcher. 24 questionnaires were collected from 12 
corporate internal administrators and 12 corporate external consultants and then analyzed. 


4. RESULTS 


4.1. Comparison of Evaluation Variables 


The consistency ratio (CR) was all under 0.2659, which was significant. As shown in Table 4 
regarding factor analysis results, 3 key factor groups affecting the improvement of corporate 
information security management were in the order of environmental factors (0.484), 
organizational factors (0.329), and technical factors (0.188). Thus, it turned out that the most 
influential factors on decision-making on information security management activity were 
environmental factors. Specifically, compliance with legal requirements (0.131) was the most 
influential subfactor. The importance of the other sub-factors was in the order of protection of 
information on subject rights (0.128), risk management (0.095), and reflection of governmental 
policies (0.089). In addition, factors of market environments such as protection of 
organizational resources (0.081) and spread of information security awareness (0.081) also 
turned out to be necessary, influential factors. 


Table 4 Weights and priority of evaluation variables 



































Evaluation phewrelents ‘ The weights of evaluation factors 
anes of areas Evaluation factors 
Local Local Priority Global Priority 

Information collection and 0.132 4 0.025 13 
Management 
Information access control 0.221 2 0.041 10 
(Cyber damage recovery 0.085 6 0.016 16 

[Technology 0.188 Response to information 0.229 1 0.043 9 
Security threats 
Information asset control 0.206 3 0.039 11 
Application of integrated 0.127 5 0.024 14 
security technology 

Organization (4a9 =" |p eamizanonal resource 0.248 2 0.081 5 

rotection 
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IRisk management 0.290 1 0.095 3 
Reinforcing of organizational 0.151 4 0.049 8 
competitiveness 
Reliability and image 0.171 3 0.056 5 
improvement 
ae eiCeay 0.087 5 0.029 12 
enhancement 
(Cost saving effect 0.053 6 0.017 15 
Reflection of governmental 0.185 3 0.089 4 
olicies 
Acquisition of certification or 0.112 5 0.054 4 
authorization 
: [Protection of information 

IEnvironment 0.484 : ot 0.265 2 0.128 2 
Subjects’ rights 
(Compliance with legal 0.271 1 0.131 1 
requirements 
Spread of information 0.168 4 0.081 5 
security awareness 

(Total 1.0000 3.000 1.0000 


























4.2. Comparison of Evaluation Areas between Expert and Reseller Groups 


As the corporate internal manager group was compared with the consulting expert group, the 
results turned out to be the same. As shown in Table 5, the weight of factors was in the order 
of environment, organization, and technology in both groups. However, the corporate internal 
administrator group turned out to view more critical environmental factors (0.484) and technical 
factors (0.212) than the other. The consulting expert group turned out to view, as more 
important, organization factors (0.354). 


Table 5 Comparison analysis results on evaluation areas 























The weights of areas 
Evaluation areas Corporate Inner Group Consulting Group 
Local Priority Local Priority 
Environment 0.484 1 0.477 1 
Organization 0.305 2 0.354 2 
[Technology 0.212 3 0.169 3 
Total 1.0000 1.0000 























4.3. Comparison of Evaluation Factors between Expert and Reseller Groups 


As shown in Table 6, the comparative analysis of specific factors between the groups indicates 
that the most important influential factor in both groups was ‘compliance with legal 
requirements and then 'protection of information subjects’ rights' followed. In the comparative 
analysis of the 3rd to 6th factors, it turned out that 'reflection of governmental policies' was the 
third in the case of the corporate internal administrator group (0.094) and the sixth in the case 
of the consulting group (0.083). 


Thus, this factor was regarded as far more important by the corporate internal administrator 
group. The 'risk management factor’ was the fourth in the case of the corporate internal 
management group (0.090) and the third in the case of the consulting group (0.100). Thus, this 
factor was regarded as more important by the consulting group. ‘Spread of information security 
awareness’ was the fifth in both cases of the corporate internal management group (0.077) and 
the consulting group (0.084). Finally, the factor of 'protection of organizational resources’ was 
the sixth in the case of the corporate internal management group (0.070) and the fourth in the 
case of the consulting group (0.094). Thus, it turned out that the consulting group was more 
affected by this factor than the corporate internal management group. 
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Table 6 Comparison analysis results on evaluation factors 




























































































The weights of evaluation factors Priority of factors 
Evaluation Local Global (Global) 
factors Corporate | Consulting | Corporate | Consulting | Corporate | Consulting 
Inner Group| Group  [InnerGroup| Group  ({InnerGroup| Group 
Information 
collection and 0.139 0.123 0.029 0.021 14 15 
Imanagement 
Pema ONeL CES 098i 0.209 0.049 0.035 8 ul 
control 
ey ceedamare 0.081 0.090 0.017 0.015 17 17 
recovery 
IResponse to 
information 0.250 0.209 0.053 0.035 7 10 
security threats 
Pear a || L000 0.208 0.043 0.035 12 ul 
control 
[Application of 
integrated security 0.098 0.161 0.021 0.027 15 13 
technology 
Led sea vate 0.230 0.265 0.070 0.094 6 4 
lresource protection 
IRisk management 0.295 0.283 0.090 0.100 4 3 
Reinforcement of 
organizational 0.154 0.146 0.047 0.052 11 9 
competitiveness 
Reliability and 
image 0.158 0.186 0.048 0.066 10 7 
improvement 
ere cricency 0.103 0.073 0.031 0.026 13 14 
lenhancement 
Cost saving effect 0.061 0.047 0.019 0.017 16 16 
Reflection of 
lgovernmental 0.194 0.175 0.094 0.083 3 6 
[policies 
[Acquisition of 
certification or 0.101 0.124 0.049 0.059 8 8 
authorization 
Protection of 
information 0.272 0.255 0.132 0.122 2 2 
subjects’ rights 
eomp ance wal 0.274 0.270 0.133 0.129 1 1 
legal requirements 
Spread of 
information 0.159 0.176 0.077 0.084 3 3 
security awareness 
3.000 3.000 1.0000 1.0000 
5. CONCLUSION 


Based on previous studies, this study comparatively analyzes significant factors related to 
reinforcing the corporate information security system, focusing on technology, organization, 
and environmental factors. As a result, significant factors affecting decision-making were 
derived. Three major findings derived from this study may be summarized below: First, it 
turned out that the environmental factor was the most important among the three factors 
affecting corporate information security management. Mainly, compliance with legal 
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requirements was the most crucial subfactor. This result aligned with the related previous 
studies in compliance with legal requirements. 


Above all, differences in information security experts’ awareness of the importance and 
current conditions of system management such as scale depend on the internal political 
perspectives and external regulations rather than experts’ opinions on information security. 
Because of these characteristics, it is necessary to reconsider the status and decision-making 
authority of information security experts within an enterprise. As for information security 
experts, it is necessary to improve the ability to solve administrative problems related to 
political and regulatory environment factors and technical problems. 


Second, both the corporate internal administrator and information security consulting expert 
groups viewed environment and organization factors as more important than technology. 
Traditionally, regarding the build-up and management of an information security system, 
important topics in guidelines or frameworks for information security regulation were technical 
factors such as information collection, information control, and threat management in terms of 
regulatory management. For this reason, such technology-centered discussion has limitations 
in that it focuses on the information security system itself while organizational synergy and 
systematic strategies within the enterprise are often neglected. 


As stated in the findings of this study, however, the corporate information security system 
considers awareness in and out of the organization and compliance with regulations regarding 
information management in such aspects as the spread of information security awareness and 
protection of information subjects' rights. In addition, it is emphasized that there should be 
organizational responses to risks in terms of the protection of organizational resources. In other 
words, an enterprise's information security system should be built as a systematic operation 
mechanism that considers its vision, the direction of strategies, and governance, not merely to 
solve technical management problems. 


Finally, major influential factors regarding the information security system were almost the 
same between the corporate internal administrator group of information security and the 
consulting expert group. This means that there is little difference in the goals and direction of 
information security system management operations in and out of an organization. In the past, 
access control was practiced, focusing on personnel security since the primary cause of 
information leakage was an insider. For this reason, the access control focused on an 
unauthorized outsider (information security consultant). However, as it is easier for an insider 
to access a significant system compared to an outsider, the priority should be given to 
management and investment into insiders’ access control. When it comes to internalizing 
information assets, strengthening control or management over an enterprise's insiders rather 
than outsiders to improve the system operation's effectiveness, is recommended. 


However, this study has the following limitations: First, 20 factors affecting the information 
security system were derived based on the TOE framework. On the other hand, this study does 
not reflect factors to be considered to build a system for cooperative strategies or business 
strategies in the context of corporate information security activity. Future studies need to derive 
and add influential factors to consider interactions between recent corporate information 
security system characteristics and business management activities. Second, this study does not 
consider business types or scales. 


When an information security system is introduced and operated in an organization, its 
characteristics may depend on the business type or scale. Thus, it is necessary to consider and 
comparatively analyze the business type and scale more thoroughly. Finally, this study was 
conducted among information security experts in Korea. For this reason, the generalization of 
its findings has limitations. Future studies may include experts from global enterprises. In 
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addition, empirical research on whether such influential factors significantly impact an 
enterprise's actual information security performance or result also needs to be conducted. 
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